2018 NIST CSF Maturity Tool v1.0

This worksheet is the culmination of over a decade of measuring the maturity of variou
Cybersecurity Framework (CSF) with the addition of maturity levels for both policy and
* Policy Maturity: How well do your corporate policies, procedures, standards, and guid
* Practice Maturity: How well do your actual operational practices satisfy the NIST CSF
The goal of the Maturity Level descriptions is to provide some guidance around what go
is to high for a Level 3 maturity, feel free to change it to better suit your needs.
Finally, this is in no way intended to infringe upon any work the good folks over at NIST
Details’ tab is completely owned by NIST. Certain cells are protected so the user doesn'
'2018NISTCMM'
I hope you find this useful.
Email inquiries/suggestions to John@JohnMasserini.com
Directions:
1) Review the ‘Maturity Levels’ tab to gain an understanding of how to rank each of the controls in t
policy column versus the practices column.
2) On the ‘CSF Summary’ tab, review the Target Scores for applicability within your organization. In
‘end goal’ of what you think the right level of control for your organization.
3) Using the 1-5 values in the Maturity tab, enter a value in each of the Policy/Practice cells. In orde
values (i.e. 2.5) are permitted. Sample values are provided only to demonstrate the fu
uring the maturity of various security programs. This current iteration is founded on the 2018 N
y levels for both policy and practice.
edures, standards, and guidelines satisfy the NIST CSF requirements?

actices satisfy the NIST CSF requirements regardless of what your policies & standards say?
me guidance around what good practices look like. If, for example, you believe that a 5% policy e
er suit your needs.
the good folks over at NIST have done. All of the questions and associated information on the ‘N
rotected so the user doesn't accidentally step on a formula. You can unprotect the worksheet u
to rank each of the controls in the ‘NIST CSF Details’ tab. There are different meanings for each level of matur
ty within your organization. In most cases, the target of some controls will be different than others. This is m
zation.
he Policy/Practice cells. In order to provide as much functionality as possible, you are not locked into a hard 0
nly to demonstrate the functionality of the chart on the ‘CSF Summary’ page.
n is founded on the 2018 NIST
?
icies & standards say?
u believe that a 5% policy exception rate
ciated information on the ‘NIST CSF

unprotect the worksheet using password
eanings for each level of maturity between
different than others. This is meant to be an
you are not locked into a hard 0-5 value; partial

mmary’ page.
2018
Target Policy Practice
NIST 2018 CSF Categories Score Score Score
Overall 3.00 3.02 2.70
Asset Management (ID.AM) 3.00 3.42 2.00
Business Environment (ID.BE) 3.00 3.00 1.20
IDENTIFY (ID)
Governance (ID.GV) 3.00 5.00 3.00 Recovery

Risk Assessment (ID.RA) 3.00 2.00 4.00
Risk Management Strategy (ID.RM) 3.00 4.00 2.00
Supply Chain Risk Management (ID.SC) 3.00 1.00 3.00
Improvements (
Identity Management, Authentication and Access Control ( 3.00 3.00 1.00
Awareness and Training (PR.AT) 3.00 5.00 3.00
PROTECT (PR)
Data Security (PR.DS) 3.00 1.00 3.00

Information Protection Processes and Procedures (PR.IP) 3.00 3.00 1.00 Mitigation (RS.MI)
Maintenance (PR.MA) 3.00 5.00 4.00
Protective Technology (PR.PT) 3.00 1.00 2.00
Anomalies and Events (DE.AE)
DETECT (DE)
3.00 3.00 5.00

Security Continuous Monitoring (DE.CM) 3.00 5.00 2.00 Analysis (RS.AN)
Detection Processes (DE.DP) 3.00 2.00 3.00
Response Planning (RS.RP) 3.00 4.00 1.00
RESPOND (RS)
Communications (RS.CO) 3.00 1.00 4.00

Analysis (RS.AN) 3.00 2.00 5.00 Communications (RS.CO)
Mitigation (RS.MI) 3.00 3.00 2.00
Improvements (RS.IM) 3.00 4.00 2.00
RECOVER (RC)
Recovery Planning (RC.RP) 3.00 5.00 3.00

Improvements (RC.IM) 3.00 1.00 3.00 Response Planning (
Communications (RC.CO) 3.00 3.00 3.00
Detection P
Security Co
Overall
Communications (RC.CO) Asset Management (ID.AM)
NIST Cyber Security
Improvements (RC.IM) 5.0 Business Environment (ID.BE) Maturity L
Recovery Planning (RC.RP) Governance (ID.GV) 5 - Optim
4 - Mana
3 - Define
2 - Ackno
Improvements (RS.IM) Risk Assessment (ID.RA) 1 - Initial
0 - Non-e
Mitigation (RS.MI) Risk Management Strategy (ID.RM)
Analysis (RS.AN) 0.0 Supply Chain Risk Management (ID.SC)
Communications (RS.CO) Identity Management, Authenticati
Response Planning (RS.RP) Awareness and Training (PR.AT)
Detection Processes (DE.DP) Data Security (PR.DS)

Target Sco
Policy
Score
Security Continuous Monitoring (DE.CM) Information Protection Processes and Procedures (PR.IP)
Practice
Score
Anomalies and Events (DE.AE) Maintenance (PR.MA)
Protective Technology (PR.PT)
NIST Cyber Security Framework
t (ID.BE) Maturity Levels
ance (ID.GV) 5 - Optimal
4 - Managed
3 - Defined
2 - Acknowledged
Risk Assessment (ID.RA) 1 - Initial
0 - Non-existent
Risk Management Strategy (ID.RM)
Chain Risk Management (ID.SC)
Identity Management, Authentication and Access Control (PR.AC)
Awareness and Training (PR.AT)
curity (PR.DS)
Target Score
Policy
Score
n Processes and Procedures (PR.IP)
Practice
Score
Maturity Level Expectation of Policy Maturity Level
Policy or standard does not exist or is not
Level 1 - Initial formally approved by management.
Level 2 - Repeatable Policy or standard exists, but has not been

reviewed in more than 2 years
Policy and standard exists with formal
management approval. Policy exceptions are
Level 3 - Defined documented, approved and occur less than 5%
of the time.

management approval. Policy exceptions are
Level 4 - Managed documented, approved and occur less than 3%
of the time.

Level 5 - Optimizing management approval. Policy exceptions are
documented, approved and occur less than
0.5% of the time.
Expectation of Process Maturity Level
Standard process does not exist.
Ad-hoc process exists and is done informally.
Formal process exists and is doucmented.

Evidence can be provided for most activities.
Less than 10% exceptions.

Evidence can be provided for all activities and
detailed metrics of the process are captured and
reported. Minimal target for metrics has been
established. Less than 5% of process exceptions
occur with minimal reoccuring exceptions.

Evidence can be provided for all activities and
detailed metrics of the process are captured and
reported. Minimal target for metrics has been
established and continually improving. Less than
1% of process exceptions occur.
Function Category Subcategory
ID.AM-1: Physical devices and systems within

the organization are inventoried
ID.AM-2: Software platforms and applications

within the organization are inventoried
Asset Management (ID.AM): The data,

personnel, devices, systems, and facilities that ID.AM-3: Organizational communication and
enable the organization to achieve business data flows are mapped
purposes are identified and managed consistent
with their relative importance to organizational
objectives and the organization’s risk strategy.
ID.AM-4: External information systems are
catalogued
ID.AM-5: Resources (e.g., hardware, devices,

data, time, personnel, and software) are
prioritized based on their classification, criticality,
and business value
ID.AM-6: Cybersecurity roles and

responsibilities for the entire workforce and third-
party stakeholders (e.g., suppliers, customers,
partners) are established
Category Maturity Score
ID.BE-1: The organization’s role in the supply

chain is identified and communicated
ID.BE-2: The organization’s place in critical

infrastructure and its industry sector is identified
and communicated
Business Environment (ID.BE): The
organization’s mission, objectives, stakeholders, ID.BE-3: Priorities for organizational mission,
and activities are understood and prioritized; this objectives, and activities are established and
information is used to inform cybersecurity communicated
roles, responsibilities, and risk management
decisions.
ID.BE-4: Dependencies and critical functions for
delivery of critical services are established
ID.BE-5: Resilience requirements to support

delivery of critical services are established for all
operating states (e.g. under duress/attack, during
recovery, normal operations)
decisions.
ID.BE-5: Resilience requirements to support

delivery of critical services are established for all
operating states (e.g. under duress/attack, during
recovery, normal operations)
ID.GV-1: Organizational cybersecurity policy is

established and communicated
ID.GV-2: Cybersecurity roles and responsibilities

Governance (ID.GV): The policies, procedures, are coordinated and aligned with internal roles
and processes to manage and monitor the and external partners
organization’s regulatory, legal, risk,
environmental, and operational requirements are
understood and inform the management of
cybersecurity risk. ID.GV-3: Legal and regulatory requirements
regarding cybersecurity, including privacy and
civil liberties obligations, are understood and
managed
ID.GV-4: Governance and risk management

processes address cybersecurity risks
IDENTIFY (ID)
ID.RA-1: Asset vulnerabilities are identified and
documented
ID.RA-2: Cyber threat intelligence is received

from information sharing forums and sources
Risk Assessment (ID.RA): The organization ID.RA-3: Threats, both internal and external, are
understands the cybersecurity risk to identified and documented
organizational operations (including mission,
functions, image, or reputation), organizational
assets, and individuals.
ID.RA-4: Potential business impacts and

likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods,

and impacts are used to determine risk
ID.RA-6: Risk responses are identified and
prioritized
ID.RM-1: Risk management processes are

established, managed, and agreed to by
organizational stakeholders
Risk Management Strategy (ID.RM): The

organization’s priorities, constraints, risk
tolerances, and assumptions are established and ID.RM-2: Organizational risk tolerance is
used to support operational risk decisions. determined and clearly expressed
ID.RM-3: The organization’s determination of

risk tolerance is informed by its role in critical
infrastructure and sector specific risk analysis
ID.SC-1: Cyber supply chain risk management

processes are identified, established, assessed,
managed, and agreed to by organizational
stakeholders
ID.SC-2: Suppliers and third party partners of

information systems, components, and services
are identified, prioritized, and assessed using a
cyber supply chain risk assessment process
Supply Chain Risk Management (ID.SC):
The organization’s priorities, constraints, risk ID.SC-3: Contracts with suppliers and third-party
tolerances, and assumptions are established and partners are used to implement appropriate
used to support risk decisions associated with measures designed to meet the objectives of an
managing supply chain risk. The organization organization’s cybersecurity program and Cyber
has established and implemented the processes Supply Chain Risk Management Plan.
to identify, assess and manage supply chain
risks.
ID.SC-4: Suppliers and third-party partners are
routinely assessed using audits, test results, or
other forms of evaluations to confirm they are
meeting their contractual obligations.
ID.SC-5: Response and recovery planning and

testing are conducted with suppliers and third-
party providers
PR.AC-1: Identities and credentials are issued,

managed, verified, revoked, and audited for
authorized devices, users and processes
PR.AC-1: Identities and credentials are issued,
managed, verified, revoked, and audited for
authorized devices, users and processes
PR.AC-2: Physical access to assets is managed

and protected
PR.AC-3: Remote access is managed
Identity Management, Authentication and PR.AC-4: Access permissions and authorizations

Access Control (PR.AC): Access to physical are managed, incorporating the principles of least
and logical assets and associated facilities is privilege and separation of duties
limited to authorized users, processes, and
devices, and is managed consistent with the
assessed risk of unauthorized access to
authorized activities and transactions.
PR.AC-5: Network integrity is protected (e.g.,

network segregation, network segmentation)
PR.AC-6: Identities are proofed and bound to

credentials and asserted in interactions
PR.AC-7: Users, devices, and other assets are

authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the transaction
(e.g., individuals’ security and privacy risks and
other organizational risks)
PR.AT-1: All users are informed and trained

PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand their roles

and responsibilities
Awareness and Training (PR.AT): The

organization’s personnel and partners are
PR.AT-3: Third-party stakeholders (e.g.,
provided cybersecurity awareness education and
suppliers, customers, partners) understand their
are trained to perform their cybersecurity-related
roles and responsibilities
duties and responsibilities consistent with related
policies, procedures, and agreements.
PR.AT-4: Senior executives understand their

roles and responsibilities
PR.AT-5: Physical and cybersecurity personnel

understand their roles and responsibilities
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed

throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure

availability is maintained
Data Security (PR.DS): Information and
records (data) are managed consistent with the
organization’s risk strategy to protect the
confidentiality, integrity, and availability of
information.
PR.DS-5: Protections against data leaks are

implemented
records (data) are managed consistent with the
organization’s risk strategy to protect the
confidentiality, integrity, and availability of
information.
PR.DS-5: Protections against data leaks are

implemented
PR.DS-6: Integrity checking mechanisms are

used to verify software, firmware, and
information integrity
PR.DS-7: The development and testing

environment(s) are separate from the production
environment
PROTECT (PR)
PR.DS-8: Integrity checking mechanisms are

used to verify hardware integrity
PR.IP-1: A baseline configuration of information

technology/industrial control systems is created
and maintained incorporating security principles
(e.g. concept of least functionality)
PR.IP-2: A System Development Life Cycle to

manage systems is implemented
PR.IP-3: Configuration change control processes

are in place
PR.IP-4: Backups of information are conducted,

maintained, and tested
PR.IP-5: Policy and regulations regarding the

physical operating environment for organizational
assets are met
Information Protection Processes and
Procedures (PR.IP): Security policies (that
address purpose, scope, roles, responsibilities,
management commitment, and coordination
PR.IP-6: Data is destroyed according to policy
among organizational entities), processes, and
procedures are maintained and used to manage
protection of information systems and assets.
Information Protection Processes and
Procedures (PR.IP): Security policies (that
address purpose, scope, roles, responsibilities,
management commitment, and coordination
PR.IP-6: Data is destroyed according to policy
among organizational entities), processes, and
procedures are maintained and used to manage
protection of information systems and assets.
PR.IP-7: Protection processes are improved
PR.IP-8: Effectiveness of protection technologies

is shared
PR.IP-9: Response plans (Incident Response and

Business Continuity) and recovery plans
(Incident Recovery and Disaster Recovery) are in
place and managed
PR.IP-10: Response and recovery plans are

tested
PR.IP-11: Cybersecurity is included in human

resources practices (e.g., deprovisioning,
personnel screening)
PR.IP-12: A vulnerability management plan is

developed and implemented
PR.MA-1: Maintenance and repair of

organizational assets are performed and logged,
with approved and controlled tools
Maintenance (PR.MA): Maintenance and
repairs of industrial control and information
system components are performed consistent
with policies and procedures. PR.MA-2: Remote maintenance of
organizational assets is approved, logged, and
performed in a manner that prevents unauthorized
access
PR.PT-1: Audit/log records are determined,

documented, implemented, and reviewed in
accordance with policy
PR.PT-1: Audit/log records are determined,
documented, implemented, and reviewed in
accordance with policy
PR.PT-2: Removable media is protected and its

use restricted according to policy
Protective Technology (PR.PT): Technical

security solutions are managed to ensure the PR.PT-3: The principle of least functionality is
security and resilience of systems and assets, incorporated by configuring systems to provide
consistent with related policies, procedures, and only essential capabilities
agreements.
PR.PT-4: Communications and control networks

are protected
PR.PT-5: Mechanisms (e.g., failsafe, load

balancing, hot swap) are implemented to achieve
resilience requirements in normal and adverse
situations
DE.AE-1: A baseline of network operations and

expected data flows for users and systems is
established and managed
DE.AE-2: Detected events are analyzed to

understand attack targets and methods
Anomalies and Events (DE.AE): Anomalous

activity is detected and the potential impact of
events is understood. DE.AE-3: Event data are collected and correlated
from multiple sources and sensors
DE.AE-4: Impact of events is determined

DE.AE-5: Incident alert thresholds are
established
DE.CM-1: The network is monitored to detect

potential cybersecurity events
DE.CM-2: The physical environment is

monitored to detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to

detect potential cybersecurity events
DE.CM-4: Malicious code is detected

Security Continuous Monitoring (DE.CM):
DETECT (DE) The information system and assets are monitored
to identify cybersecurity events and verify the
effectiveness of protective measures.
DE.CM-5: Unauthorized mobile code is detected
DE.CM-6: External service provider activity is

monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized

personnel, connections, devices, and software is
performed
DE.CM-8: Vulnerability scans are performed
DE.DP-1: Roles and responsibilities for detection

are well defined to ensure accountability
DE.DP-1: Roles and responsibilities for detection
are well defined to ensure accountability
DE.DP-2: Detection activities comply with all

applicable requirements
Detection Processes (DE.DP): Detection DE.DP-3: Detection processes are tested

processes and procedures are maintained and
tested to ensure awareness of anomalous events.
DE.DP-4: Event detection information is

communicated
DE.DP-5: Detection processes are continuously

improved
Response Planning (RS.RP): Response

processes and procedures are executed and RS.RP-1: Response plan is executed during or
maintained, to ensure response to detected after an incident
cybersecurity incidents.
RS.CO-1: Personnel know their roles and order

of operations when a response is needed
RS.CO-2: Incidents are reported consistent with

established criteria
Communications (RS.CO): Response activities

are coordinated with internal and external
stakeholders (e.g. external support from law RS.CO-3: Information is shared consistent with
enforcement agencies). response plans
RS.CO-4: Coordination with stakeholders occurs

consistent with response plans
RS.CO-5: Voluntary information sharing occurs
with external stakeholders to achieve broader
cybersecurity situational awareness
RS.AN-1: Notifications from detection systems

are investigated
RESPOND (RS) RS.AN-2: The impact of the incident is

understood
Analysis (RS.AN): Analysis is conducted to

ensure effective response and support recovery
activities. RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent

with response plans
RS.AN-5: Processes are established to receive,

analyze and respond to vulnerabilities disclosed
to the organization from internal and external
sources (e.g. internal testing, security bulletins, or
security researchers)
RS.MI-1: Incidents are contained
Mitigation (RS.MI): Activities are performed to

prevent expansion of an event, mitigate its
effects, and resolve the incident. RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are

mitigated or documented as accepted risks
RS.IM-1: Response plans incorporate lessons

Improvements (RS.IM): Organizational learned
response activities are improved by
incorporating lessons learned from current and
previous detection/response activities.
RS.IM-1: Response plans incorporate lessons
Improvements (RS.IM): Organizational learned
response activities are improved by
incorporating lessons learned from current and
previous detection/response activities.
RS.IM-2: Response strategies are updated

Recovery Planning (RC.RP): Recovery
processes and procedures are executed and RC.RP-1: Recovery plan is executed during or
maintained to ensure restoration of systems or after a cybersecurity incident
assets affected by cybersecurity incidents.
RC.IM-1: Recovery plans incorporate lessons

Improvements (RC.IM): Recovery planning learned
and processes are improved by incorporating
lessons learned into future activities.
RECOVER (RC)
RC.IM-2: Recovery strategies are updated
RC.CO-1: Public relations are managed

Communications (RC.CO): Restoration
activities are coordinated with internal and RC.CO-2: Reputation is repaired after an
external parties (e.g. coordinating centers, incident
Internet Service Providers, owners of attacking
systems, victims, other CSIRTs, and vendors). RC.CO-3: Recovery activities are communicated
to internal and external stakeholders as well as
executive and management teams
Policy
Informative References
Maturity
· CIS CSC 1
· COBIT 5 BAI09.01, BAI09.02
· ISA 62443-2-1:2009 4.2.3.4
4.3
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
· NIST SP 800-53 Rev. 4 CM-8, PM-5
· CIS CSC 2
· COBIT 5 BAI09.01, BAI09.02, BAI09.05
· ISA 62443-2-1:2009 4.2.3.4
4.0
· ISA 62443-3-3:2013 SR 7.8
· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1
· NIST SP 800-53 Rev. 4 CM-8, PM-5
· CIS CSC 12
· COBIT 5 DSS05.02
· ISA 62443-2-1:2009 4.2.3.4 1.2
· ISO/IEC 27001:2013 A.13.2.1, A.13.2.2
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
· CIS CSC 12
· COBIT 5 APO02.02, APO10.04, DSS01.02
4.0
· ISO/IEC 27001:2013 A.11.2.6
· NIST SP 800-53 Rev. 4 AC-20, SA-9
· CIS CSC 13, 14
· COBIT 5 APO03.03, APO03.04, APO12.01, BAI04.02, BAI09.02
· ISA 62443-2-1:2009 4.2.3.6 4.0
· ISO/IEC 27001:2013 A.8.2.1
· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14, SC-6
· CIS CSC 17, 19
· COBIT 5 APO01.02, APO07.06, APO13.01, DSS06.03
· ISA 62443-2-1:2009 4.3.2.3.3 3.0
· ISO/IEC 27001:2013 A.6.1.1
· NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
3.4
· COBIT 5 APO08.01, APO08.04, APO08.05, APO10.03, APO10.04, APO10.05
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2 3.0
· NIST SP 800-53 Rev. 4 CP-2, SA-12
· COBIT 5 APO02.06, APO03.01
· ISO/IEC 27001:2013 Clause 4.1 3.0
· NIST SP 800-53 Rev. 4 PM-8
· COBIT 5 APO02.01, APO02.06, APO03.01
· ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 3.0
· NIST SP 800-53 Rev. 4 PM-11, SA-14
· COBIT 5 APO10.01, BAI04.02, BAI09.02
· ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 3.0
· NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
· COBIT 5 BAI03.02, DSS04.02
3.0
· ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 3.0
· NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-13, SA-14
3.0
· CIS CSC 19
· COBIT 5 APO01.03, APO13.01, EDM01.01, EDM01.02
· ISA 62443-2-1:2009 4.3.2.6 5.0
· ISO/IEC 27001:2013 A.5.1.1
· NIST SP 800-53 Rev. 4 -1 controls from all security control families
· CIS CSC 19
· COBIT 5 APO01.02, APO10.03, APO13.02, DSS05.04
· ISA 62443-2-1:2009 4.3.2.3.3 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.15.1.1
· NIST SP 800-53 Rev. 4 PS-7, PM-1, PM-2
· CIS CSC 19
· COBIT 5 BAI02.01, MEA03.01, MEA03.04
· ISA 62443-2-1:2009 4.4.3.7 5.0
· ISO/IEC 27001:2013 A.18.1.1, A.18.1.2, A.18.1.3, A.18.1.4, A.18.1.5
· NIST SP 800-53 Rev. 4 -1 controls from all security control families
· COBIT 5 EDM03.02, APO12.02, APO12.05, DSS04.02
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
5.0
· ISO/IEC 27001:2013 Clause 6
· NIST SP 800-53 Rev. 4 SA-2, PM-3, PM-7, PM-9, PM-10, PM-11
5.0
· CIS CSC 4
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, DSS05.01, DSS05.02
· ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 2.0
· ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
· CIS CSC 4
· COBIT 5 BAI08.01
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 2.0
· ISO/IEC 27001:2013 A.6.1.4
· NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16
· CIS CSC 4
· COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 2.0
· ISO/IEC 27001:2013 Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
· CIS CSC 4
· COBIT 5 DSS04.02
· ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 2.0
· ISO/IEC 27001:2013 A.16.1.6, Clause 6.1.2
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-14, PM-9, PM-11
· CIS CSC 4
· COBIT 5 APO12.02
2.0
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
· CIS CSC 4
· COBIT 5 APO12.05, APO13.02
2.0
· ISO/IEC 27001:2013 Clause 6.1.3
· NIST SP 800-53 Rev. 4 PM-4, PM-9
2.0
· CIS CSC 4
· COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
· ISA 62443-2-1:2009 4.3.4.2 4.0
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3, Clause 9.3
· NIST SP 800-53 Rev. 4 PM-9
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.2.6.5
4.0
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3
· NIST SP 800-53 Rev. 4 PM-9
· COBIT 5 APO12.02
· ISO/IEC 27001:2013 Clause 6.1.3, Clause 8.3 4.0
· NIST SP 800-53 Rev. 4 SA-14, PM-8, PM-9, PM-11
4.0
· CIS CSC 4
· COBIT 5 APO10.01, APO10.04, APO12.04, APO12.05, APO13.02, BAI01.03, BAI02.03,
BAI04.02
1.0
· ISA 62443-2-1:2009 4.3.4.2
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 SA-9, SA-12, PM-9
· COBIT 5 APO10.01, APO10.02, APO10.04, APO10.05, APO12.01, APO12.02, APO12.03,
APO12.04, APO12.05, APO12.06, APO13.02, BAI02.03
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.2, 4.2.3.3, 4.2.3.4, 4.2.3.6, 4.2.3.8, 4.2.3.9, 4.2.3.10, 4.2.3.12,
4.2.3.13, 4.2.3.14 1.0
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 RA-2, RA-3, SA-12, SA-14, SA-15, PM-9
· COBIT 5 APO10.01, APO10.02, APO10.03, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.6.4, 4.3.2.6.7
1.0
· ISO/IEC 27001:2013 A.15.1.1, A.15.1.2, A.15.1.3
· NIST SP 800-53 Rev. 4 SA-9, SA-11, SA-12, PM-9
· COBIT 5 APO10.01, APO10.03, APO10.04, APO10.05, MEA01.01, MEA01.02, MEA01.03,
MEA01.04, MEA01.05
· ISA 62443-2-1:2009 4.3.2.6.7
1.0
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.15.2.1, A.15.2.2
· NIST SP 800-53 Rev. 4 AU-2, AU-6, AU-12, AU-16, PS-7, SA-9, SA-12
· CIS CSC 19, 20
· COBIT 5 DSS04.04
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
1.0
· ISA 62443-3-3:2013 SR 2.8, SR 3.3, SR.6.1, SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-4, IR-3, IR-4, IR-6, IR-8, IR-9
1.0
· CIS CSC 1, 5, 15, 16
3.0
· COBIT 5 DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.3.5.1
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 3.0
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3
· NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10,
IA-11
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.3, A.11.1.4, A.11.1.5, A.11.1.6, A.11.2.1, 3.0
A.11.2.3, A.11.2.5, A.11.2.6, A.11.2.7, A.11.2.8
· NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-8
· CIS CSC 12
· COBIT 5 APO13.01, DSS01.04, DSS05.03
· ISA 62443-2-1:2009 4.3.3.6.6
3.0
· ISA 62443-3-3:2013 SR 1.13, SR 2.6
· ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15
· CIS CSC 3, 5, 12, 14, 15, 16, 18
· COBIT 5 DSS05.04
· ISA 62443-2-1:2009 4.3.3.7.3
3.0
· ISA 62443-3-3:2013 SR 2.1
· ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24
· CIS CSC 9, 14, 15, 18
· COBIT 5 DSS01.05, DSS05.02
· ISA 62443-2-1:2009 4.3.3.4
3.0
· ISA 62443-3-3:2013 SR 3.1, SR 3.8
· ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7
· CIS CSC, 16
· COBIT 5 DSS05.04, DSS05.05, DSS05.07, DSS06.03
· ISA 62443-2-1:2009 4.3.3.2.2, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.4
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.4, SR 1.5, SR 1.9, SR 2.1 3.0
· ISO/IEC 27001:2013, A.7.1.1, A.9.2.1
· NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8,
PE-2, PS-3
· CIS CSC 1, 12, 15, 16
· COBIT 5 DSS05.04, DSS05.10, DSS06.10
· ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7,
4.3.3.6.8, 4.3.3.6.9
3.0
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 1.10
· ISO/IEC 27001:2013 A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, A.18.1.4
· NIST SP 800-53 Rev. 4 AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5,
IA-8, IA-9, IA-10, IA-11
3.0
· CIS CSC 17, 18
· COBIT 5 APO07.03, BAI05.07
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
5.0
· ISO/IEC 27001:2013 A.7.2.2, A.12.2.1
· NIST SP 800-53 Rev. 4 AT-2, PM-13
· CIS CSC 5, 17, 18
· COBIT 5 APO07.02, DSS05.04, DSS06.03
· ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CIS CSC 17
· COBIT 5 APO07.03, APO07.06, APO10.04, APO10.05
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.1, A.7.2.2
· NIST SP 800-53 Rev. 4 PS-7, SA-9, SA-16
· CIS CSC 17, 19
· COBIT 5 EDM01.01, APO01.02, APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, PM-13
· CIS CSC 17
· COBIT 5 APO07.03
· ISA 62443-2-1:2009 4.3.2.4.2 5.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev. 4 AT-3, IR-2, PM-13
5.0
· CIS CSC 13, 14
· COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06
· ISA 62443-3-3:2013 SR 3.4, SR 4.1 1.0
· ISO/IEC 27001:2013 A.8.2.3
· NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28
· CIS CSC 13, 14
· COBIT 5 APO01.06, DSS05.02, DSS06.06
· ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2 1.0
· ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12
· CIS CSC 1
· COBIT 5 BAI09.03
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1
1.0
· ISA 62443-3-3:2013 SR 4.2
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7
· NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
· CIS CSC 1, 2, 13
· COBIT 5 APO13.01, BAI04.04
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 1.0
· ISO/IEC 27001:2013 A.12.1.3, A.17.2.1
· NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
· CIS CSC 13
· COBIT 5 APO01.06, DSS05.04, DSS05.07, DSS06.02
· ISA 62443-3-3:2013 SR 5.2
1.0
· ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, 1.0
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1,
A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
· CIS CSC 2, 3
· COBIT 5 APO01.06, BAI06.01, DSS06.02
· ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 1.0
· ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4
· NIST SP 800-53 Rev. 4 SC-16, SI-7
· CIS CSC 18, 20
· COBIT 5 BAI03.08, BAI07.04
1.0
· ISO/IEC 27001:2013 A.12.1.4
· NIST SP 800-53 Rev. 4 CM-2
· COBIT 5 BAI03.05
· ISA 62443-2-1:2009 4.3.4.4.4
1.0
· ISO/IEC 27001:2013 A.11.2.4
· NIST SP 800-53 Rev. 4 SA-10, SI-7
1.0
· CIS CSC 3, 9, 11
· COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
3.0
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
· CIS CSC 18
· COBIT 5 APO13.01, BAI03.01, BAI03.02, BAI03.03
· ISA 62443-2-1:2009 4.3.4.3.3
3.0
· ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5
· NIST SP 800-53 Rev. 4 PL-8, SA-3, SA-4, SA-8, SA-10, SA-11, SA-12, SA-15, SA-17, SI-12,
SI-13, SI-14, SI-16, SI-17
· CIS CSC 3, 11
· COBIT 5 BAI01.06, BAI06.01
· ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
3.0
· ISA 62443-3-3:2013 SR 7.6
· ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
· NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
· CIS CSC 10
· COBIT 5 APO13.01, DSS01.01, DSS04.07
· ISA 62443-2-1:2009 4.3.4.3.9
3.0
· ISA 62443-3-3:2013 SR 7.3, SR 7.4
· ISO/IEC 27001:2013 A.12.3.1, A.17.1.2, A.17.1.3, A.18.1.3
· NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
· COBIT 5 DSS01.04, DSS05.05
· ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6
3.0
· ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3
· NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18
· COBIT 5 BAI09.03, DSS05.06
3.0
· ISA 62443-2-1:2009 4.3.4.4.4
· ISA 62443-3-3:2013 SR 4.2 3.0
· ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7
· NIST SP 800-53 Rev. 4 MP-6
· COBIT 5 APO11.06, APO12.06, DSS04.05
· ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
3.0
· ISO/IEC 27001:2013 A.16.1.6, Clause 9, Clause 10
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6
· COBIT 5 BAI08.04, DSS03.04
· ISO/IEC 27001:2013 A.16.1.6 3.0
· NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
· CIS CSC 19
· COBIT 5 APO12.06, DSS04.03
· ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 3.0
· ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2, A.17.1.3
· NIST SP 800-53 Rev. 4 CP-2, CP-7, CP-12, CP-13, IR-7, IR-8, IR-9, PE-17
· CIS CSC 19, 20
· COBIT 5 DSS04.04
· ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
3.0
· ISA 62443-3-3:2013 SR 3.3
· ISO/IEC 27001:2013 A.17.1.3
· NIST SP 800-53 Rev. 4 CP-4, IR-3, PM-14
· CIS CSC 5, 16
· COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
· ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3 3.0
· ISO/IEC 27001:2013 A.7.1.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3, A.7.3.1, A.8.1.4
· NIST SP 800-53 Rev. 4 PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-21
· CIS CSC 4, 18, 20
· COBIT 5 BAI03.10, DSS05.01, DSS05.02
3.0
· ISO/IEC 27001:2013 A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
· NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
3.0
· COBIT 5 BAI03.10, BAI09.02, BAI09.03, DSS01.05
· ISA 62443-2-1:2009 4.3.3.3.7
5.0
· ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6
· NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5, MA-6
· CIS CSC 3, 5
· COBIT 5 DSS05.04
· ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8 5.0
· ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1
· NIST SP 800-53 Rev. 4 MA-4
5.0
· CIS CSC 1, 3, 5, 6, 14, 15, 16
· COBIT 5 APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01
· ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
1.0
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1
1.0
· NIST SP 800-53 Rev. 4 AU Family

· CIS CSC 8, 13
· COBIT 5 APO13.01, DSS05.02, DSS05.06
· ISA 62443-3-3:2013 SR 2.3 1.0
· ISO/IEC 27001:2013 A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.11.2.9
· NIST SP 800-53 Rev. 4 MP-2, MP-3, MP-4, MP-5, MP-7, MP-8
· CIS CSC 3, 11, 14
· COBIT 5 DSS05.02, DSS05.05, DSS06.06
· ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7,
4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9,
4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4 1.0
· ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR
1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
· ISO/IEC 27001:2013 A.9.1.2
· NIST SP 800-53 Rev. 4 AC-3, CM-7
· CIS CSC 8, 12, 15
· COBIT 5 DSS05.02, APO13.01
· ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR
7.6 1.0
· ISO/IEC 27001:2013 A.13.1.1, A.13.2.1, A.14.1.3
· NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-22, SC-23,
SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43
· COBIT 5 BAI04.01, BAI04.02, BAI04.03, BAI04.04, BAI04.05, DSS01.05
· ISA 62443-2-1:2009 4.3.2.5.2
· ISA 62443-3-3:2013 SR 7.1, SR 7.2 1.0
· ISO/IEC 27001:2013 A.17.1.2, A.17.2.1
· NIST SP 800-53 Rev. 4 CP-7, CP-8, CP-11, CP-13, PL-8, SA-14, SC-6
1.0
· CIS CSC 1, 4, 6, 12, 13, 15, 16
· COBIT 5 DSS03.01
· ISA 62443-2-1:2009 4.4.3.3 3.0
· ISO/IEC 27001:2013 A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2
· NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
· CIS CSC 3, 6, 13, 15
· COBIT 5 DSS05.07
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
3.0
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
· CIS CSC 1, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14, 15, 16
· COBIT 5 BAI08.02
· ISA 62443-3-3:2013 SR 6.1 3.0
· ISO/IEC 27001:2013 A.12.4.1, A.16.1.7
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4
· CIS CSC 4, 6
· COBIT 5 APO12.06, DSS03.01
3.0
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI-4
· CIS CSC 6, 19
· COBIT 5 APO12.06, DSS03.01
· ISA 62443-2-1:2009 4.2.3.10 3.0
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
3.0
· CIS CSC 1, 7, 8, 12, 13, 15, 16
· COBIT 5 DSS01.03, DSS03.05, DSS05.07
5.0
· ISA 62443-3-3:2013 SR 6.2
· NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
· COBIT 5 DSS01.04, DSS01.05
· ISA 62443-2-1:2009 4.3.3.3.8
5.0
· ISO/IEC 27001:2013 A.11.1.1, A.11.1.2
· NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20
· CIS CSC 5, 7, 14, 16
· COBIT 5 DSS05.07
· ISA 62443-3-3:2013 SR 6.2 5.0
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3
· NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11
· CIS CSC 4, 7, 8, 12
· COBIT 5 DSS05.01
· ISA 62443-2-1:2009 4.3.4.3.8
5.0
· ISA 62443-3-3:2013 SR 3.2
· ISO/IEC 27001:2013 A.12.2.1
· NIST SP 800-53 Rev. 4 SI-3, SI-8
· CIS CSC 7, 8
· COBIT 5 DSS05.01
· ISA 62443-3-3:2013 SR 2.4 5.0
· ISO/IEC 27001:2013 A.12.5.1, A.12.6.2
· NIST SP 800-53 Rev. 4 SC-18, SI-4, SC-44
· COBIT 5 APO07.06, APO10.05
· ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 5.0
· NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4
· CIS CSC 1, 2, 3, 5, 9, 12, 13, 15, 16
· COBIT 5 DSS05.02, DSS05.05
5.0
· ISO/IEC 27001:2013 A.12.4.1, A.14.2.7, A.15.2.1
· NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
· CIS CSC 4, 20
· COBIT 5 BAI03.10, DSS05.01
· ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 5.0
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 RA-5
5.0
· CIS CSC 19
· COBIT 5 APO01.02, DSS05.01, DSS06.03
· ISA 62443-2-1:2009 4.4.3.1 2.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
2.0
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14

· COBIT 5 DSS06.01, MEA03.03, MEA03.04
· ISA 62443-2-1:2009 4.4.3.2
2.0
· ISO/IEC 27001:2013 A.18.1.4, A.18.2.2, A.18.2.3
· NIST SP 800-53 Rev. 4 AC-25, CA-2, CA-7, SA-18, SI-4, PM-14
· COBIT 5 APO13.02, DSS05.02
· ISA 62443-2-1:2009 4.4.3.2
· ISA 62443-3-3:2013 SR 3.3 2.0
· ISO/IEC 27001:2013 A.14.2.8
· NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, SI-3, SI-4, PM-14
· CIS CSC 19
· COBIT 5 APO08.04, APO12.06, DSS02.05
· ISA 62443-2-1:2009 4.3.4.5.9
2.0
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.16.1.2, A.16.1.3
· NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4
· COBIT 5 APO11.06, APO12.06, DSS04.05
· ISA 62443-2-1:2009 4.4.3.4
2.0
· ISO/IEC 27001:2013 A.16.1.6
· NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-14
2.0
· CIS CSC 19
· COBIT 5 APO12.06, BAI01.10
· ISA 62443-2-1:2009 4.3.4.5.1 4.0
· ISO/IEC 27001:2013 A.16.1.5
· NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
4.0
· CIS CSC 19
· COBIT 5 EDM03.02, APO01.02, APO12.03
· ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 1.0
· ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, A.16.1.1
· NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
· CIS CSC 19
· COBIT 5 DSS01.03
· ISA 62443-2-1:2009 4.3.4.5.5 1.0
· ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
· NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
· CIS CSC 19
· COBIT 5 DSS03.04
· ISA 62443-2-1:2009 4.3.4.5.2 1.0
· ISO/IEC 27001:2013 A.16.1.2, Clause 7.4, Clause 16.1.2
· NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4
· CIS CSC 19
· COBIT 5 DSS03.04
· ISA 62443-2-1:2009 4.3.4.5.5 1.0
· ISO/IEC 27001:2013 Clause 7.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
· CIS CSC 19
· COBIT 5 BAI08.04
1.0
· ISO/IEC 27001:2013 A.6.1.4
· NIST SP 800-53 Rev. 4 SI-5, PM-15
1.0
· CIS CSC 4, 6, 8, 19
· COBIT 5 DSS02.04, DSS02.07
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
2.0
· ISA 62443-3-3:2013 SR 6.1
· ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
· NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4
· COBIT 5 DSS02.02
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
2.0
· ISO/IEC 27001:2013 A.16.1.4, A.16.1.6
· NIST SP 800-53 Rev. 4 CP-2, IR-4
· COBIT 5 APO12.06, DSS03.02, DSS05.07
· ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1
2.0
· ISO/IEC 27001:2013 A.16.1.7
· NIST SP 800-53 Rev. 4 AU-7, IR-4
· CIS CSC 19
· COBIT 5 DSS02.02
· ISA 62443-2-1:2009 4.3.4.5.6 2.0
· ISO/IEC 27001:2013 A.16.1.4
· NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
· CIS CSC 4, 19
· COBIT 5 EDM03.02, DSS05.07 2.0
· NIST SP 800-53 Rev. 4 SI-5, PM-15
2.0
· CIS CSC 19
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.4.5.6
3.0
· ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
· NIST SP 800-53 Rev. 4 IR-4
· CIS CSC 4, 19
· COBIT 5 APO12.06
· ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 3.0
· ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
· NIST SP 800-53 Rev. 4 IR-4
· CIS CSC 4
· COBIT 5 APO12.06
3.0
· ISO/IEC 27001:2013 A.12.6.1
· NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
3.0
· COBIT 5 BAI01.13
· ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
4.0
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
4.0
· COBIT 5 BAI01.13, DSS04.08
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 4.0
4.0
· CIS CSC 10
· COBIT 5 APO12.06, DSS02.05, DSS03.04
5.0
· ISO/IEC 27001:2013 A.16.1.5
5.0
· COBIT 5 APO12.06, BAI05.07, DSS04.08
· ISA 62443-2-1:2009 4.4.3.4
1.0
· ISO/IEC 27001:2013 A.16.1.6, Clause 10
· COBIT 5 APO12.06, BAI07.08
· ISO/IEC 27001:2013 A.16.1.6, Clause 10 1.0
1.0
· COBIT 5 EDM03.02
3.0
· ISO/IEC 27001:2013 A.6.1.4, Clause 7.4
· COBIT 5 MEA03.02
3.0
· ISO/IEC 27001:2013 Clause 7.4
· COBIT 5 APO12.06
· ISO/IEC 27001:2013 Clause 7.4 3.0
· NIST SP 800-53 Rev. 4 CP-2, IR-4
3.0
Practice
Maturity
2.0
2.0
2.0
2.0
2.0
2.0
2.0
1.0
1.0
1.0
1.0
2.0
2.0
1.2
3.0
3.0
3.0
3.0
3.0
4.0
4.0
4.0
4.0
4.0
4.0
4.0
2.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
3.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
1.0
4.0
4.0
4.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
5.0
5.0
5.0
5.0
5.0
5.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
1.0
1.0
4.0
4.0
4.0
4.0
4.0
4.0
5.0
5.0
5.0
5.0
5.0
5.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
2.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
3.0
Document
NIST 800-53
CIS CSC
COBIT 5
ISA 62443 (All)
ISO/IEC 27001
Link
https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
https://www.cisecurity.org/controls/
http://www.isaca.org/cobit/pages/default.aspx
https://www.isa.org/standards-and-publications/isa-standards/find-isa-standards-in-numerical-order/
https://www.iso.org/isoiec-27001-information-security.html

2018 NIST CSF Maturity Tool v1.0

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

2018 NIST CSF Maturity Tool v1.0

Hochgeladen von

Copyright:

Verfügbare Formate

This worksheet is the culmination of over a decade of measuring the maturity of variou

Email inquiries/suggestions to John@JohnMasserini.com

edures, standards, and guidelines satisfy the NIST CSF requirements?

ciated information on the ‘NIST CSF

eanings for each level of maturity between

different than others. This is meant to be an

you are not locked into a hard 0-5 value; partial

Governance (ID.GV) 3.00 5.00 3.00 Recovery

Data Security (PR.DS) 3.00 1.00 3.00

3.00 3.00 5.00

Communications (RS.CO) 3.00 1.00 4.00

Recovery Planning (RC.RP) 3.00 5.00 3.00

Mitigation (RS.MI) Risk Management Strategy (ID.RM)

Analysis (RS.AN) 0.0 Supply Chain Risk Management (ID.SC)

Communications (RS.CO) Identity Management, Authenticati

Response Planning (RS.RP) Awareness and Training (PR.AT)

Detection Processes (DE.DP) Data Security (PR.DS)

Risk Management Strategy (ID.RM)

Chain Risk Management (ID.SC)

Identity Management, Authentication and Access Control (PR.AC)

Awareness and Training (PR.AT)

Level 2 - Repeatable Policy or standard exists, but has not been

Policy and standard exists with formal

Policy and standard exists with formal

Ad-hoc process exists and is done informally.

Formal process exists and is doucmented.

Formal process exists and is doucmented.

Formal process exists and is doucmented.

ID.AM-1: Physical devices and systems within

ID.AM-2: Software platforms and applications

Asset Management (ID.AM): The data,

ID.AM-5: Resources (e.g., hardware, devices,

ID.AM-6: Cybersecurity roles and

Category Maturity Score

ID.BE-1: The organization’s role in the supply

ID.BE-2: The organization’s place in critical

ID.BE-5: Resilience requirements to support

ID.BE-5: Resilience requirements to support

ID.GV-1: Organizational cybersecurity policy is

ID.GV-2: Cybersecurity roles and responsibilities

ID.GV-4: Governance and risk management

Category Maturity Score

ID.RA-2: Cyber threat intelligence is received

ID.RA-4: Potential business impacts and

ID.RA-5: Threats, vulnerabilities, likelihoods,

Category Maturity Score

ID.RM-1: Risk management processes are

Risk Management Strategy (ID.RM): The

ID.RM-3: The organization’s determination of

ID.SC-1: Cyber supply chain risk management

ID.SC-2: Suppliers and third party partners of

ID.SC-5: Response and recovery planning and

Category Maturity Score

PR.AC-1: Identities and credentials are issued,

PR.AC-2: Physical access to assets is managed

PR.AC-3: Remote access is managed

Identity Management, Authentication and PR.AC-4: Access permissions and authorizations

PR.AC-5: Network integrity is protected (e.g.,

PR.AC-6: Identities are proofed and bound to

PR.AC-7: Users, devices, and other assets are

Category Maturity Score

PR.AT-1: All users are informed and trained

PR.AT-2: Privileged users understand their roles

Awareness and Training (PR.AT): The